1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Trying to make extremely secure firewall

    From linux_forum1@21:1/5 to All on Sun Dec 26 00:20:02 2021
    This is a multi-part message in MIME format.

    SGVsbG8sIEknbSB0cnlpbmcgdG8gbWFrZSB0aGUgbW9zdCBzcGVjaWZpYywgc2VjdXJlIGFuZCBy ZXN0cmljdGl2ZSBpcHRhYmxlcyBwb3NzaWJsZSBmb3IgYSBzaW1wbGUgVlBOIGNvbm5lY3Rpb24g b24gRGViaWFuLiBDb3VsZCB5b3UgaGF2ZSBhIHF1aWNrIGxvb2sgaWYgdGhvc2UgYXJlIE9LPyBU aGFua3Mgc28gbXVjaCEKClZQTiBTZXJ2ZXIgUG9ydDoxMTk0CgpWUE4gU2VydmVyIElQOiAxODku MTc0LjEzNS4xMTAKCi1QIElOUFVUIERST1AKLVAgRk9SV0FSRCBEUk9QCi1QIE9VVFBVVCBEUk9Q Cgojbm8gZnJhZ21lbnRlZCBwYWNrZXRzCi1BIElOUFVUIC1mIC1qIERST1AKI2xvY2FsaG9zdAot QSBJTlBVVCAtcyAxMjcuMC4wLjAvOCAhIC1pIGxvIC1qIERST1AKLUEgSU5QVVQgLWkgbG8gLXMg MTI3LjAuMC4xIC1kIDEyNy4wLjAuMSAtaiBBQ0NFUFQKLUEgT1VUUFVUIC1vIGxvIC1zIDEyNy4w LjAuMSAtZCAxMjcuMC4wLjEgLWogQUNDRVBUCiMgZmlyc3QgcGFja2V0IGhhcyB0byBiZSBUQ1Ag c3luCi1BIElOUFVUIC1wIHRjcCAhIC0tc3luIC1tIHN0YXRlIC0tc3RhdGUgTkVXIC1qIERST1AK I2Ryb3Agc29wIGljbXAKLUEgSU5QVVQgLXAgaWNtcCAtLWljbXAtdHlwZSBhZGRyZXNzLW1hc2st cmVxdWVzdCAtaiBEUk9QCi1BIElOUFVUIC1wIGljbXAgLS1pY21wLXR5cGUgdGltZXN0YW1wLXJl cXVlc3QgLWogRFJPUAojUGluZyBmcm9tIGluc2lkZSB0byBvdXRzaWRlCi1BIE9VVFBVVCAtcCBp Y21wIC0taWNtcC10eXBlIGVjaG8tcmVxdWVzdCAtaiBBQ0NFUFQKLUEgSU5QVVQgLXAgaWNtcCAt LWljbXAtdHlwZSBlY2hvLXJlcGx5IC1qIEFDQ0VQVAojZHJvcCBicm9hZGNhc3QsIG11bHRpY2Fz dCBhbnljYXN0Ci1BIElOUFVUIC1tIGFkZHJ0eXBlIC0tZHN0LXR5cGUgQlJPQURDQVNUIC1qIERS T1AKLUEgSU5QVVQgLW0gYWRkcnR5cGUgLS1kc3QtdHlwZSBNVUxUSUNBU1QgLWogRFJPUAotQSBJ TlBVVCAtbSBhZGRydHlwZSAtLWRzdC10eXBlIEFOWUNBU1QgLWogRFJPUAotQSBJTlBVVCAtZCAy MjQuMC4wLjAvNCAtaiBEUk9QCiNkcm9wIGludmFsaWQKLUEgSU5QVVQgLW0gc3RhdGUgLS1zdGF0 ZSBJTlZBTElEIC1qIERST1AKI2Ryb3Agc3Bvb2ZlZCBwYWNrZXRzCi1BIElOUFVUIC1zIDAuMC4w LjAvOCAtaiBEUk9QCi1BIElOUFVUIC1kIDAuMC4wLjAvOCAtaiBEUk9QCi1BIElOUFVUIC1kIDIz OS4yNTUuMjU1LjAvMjQgLWogRFJPUAotQSBJTlBVVCAtZCAyNTUuMjU1LjI1NS4yNTUgLWogRFJP UAojIERST1AgUkZDMTkxOCBQQUNLRVRTCi1BIElOUFVUIC1zIDEwLjAuMC4wLzggLWogRFJPUAot QSBJTlBVVCAtcyAxNzIuMTYuMC4wLzEyIC1qIERST1AKLUEgSU5QVVQgLXMgMTkyLjE2OC4wLjAv MTYgLWogRFJPUAojQWxsb3cgVlBOCgotIEEgSU5QVVQgLWkgZXRoMCAtcCB1ZHAgLW0gdWRwIC1z IFsxODkuMTc0LjEzNS4xMTBdKGh0dHBzOi8vMTg5LjE3NC4xMzUuMTEwLykgLWQgMTkyLjE2OC4x LjAvMjQgLS1zcG9ydCAxMTk0IC0tZHBvcnQgMzI3Njg6NjU1MzUgLW0gY29ubnRyYWNrIC0tY3Rz dGF0ZSBFU1RBQkxJU0hFRCAtaiBBQ0NFUFQKCi1BIE9VVFBVVCAtbyBldGgwIC1wIHVkcCAtbSB1 ZHAgLXMgMTkyLjE2OC4xLjAvMjQgLWQgWzE4OS4xNzQuMTM1LjExMF0oaHR0cHM6Ly8xODkuMTc0 LjEzNS4xMTAvKSAtLWRwb3J0IDExOTQgLW0gY29ubnRyYWNrIC0tY3RzdGF0ZSBORVcsRVNUQUJM SVNIRUQgLWogQUNDRVBU

    PGRpdj5IZWxsbywgSSdtIHRyeWluZyB0byBtYWtlIHRoZSBtb3N0IHNwZWNpZmljLCBzZWN1cmUg YW5kIHJlc3RyaWN0aXZlIGlwdGFibGVzIHBvc3NpYmxlIGZvciBhIHNpbXBsZSBWUE4gY29ubmVj dGlvbiBvbiBEZWJpYW4uIENvdWxkIHlvdSBoYXZlIGEgcXVpY2sgbG9vayBpZiB0aG9zZSBhcmUg T0s/IFRoYW5rcyBzbyBtdWNoITxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlZQTiBTZXJ2 ZXIgUG9ydDoxMTk0PGJyPjwvZGl2PjxwIHN0eWxlPSJib3gtc2l6aW5nOiBib3JkZXItYm94OyBv dmVyZmxvdy13cmFwOiBicmVhay13b3JkOyB3b3JkLWJyZWFrOiBicmVhay13b3JkOyBtYXJnaW46 IDBweCAwcHggMTBweDsgY29sb3I6IHJnYigyNiwgMjYsIDI3KTsgZm9udC1mYW1pbHk6IC1hcHBs ZS1zeXN0ZW0sIHN5c3RlbS11aSwgQmxpbmtNYWNTeXN0ZW1Gb250LCAmcXVvdDtTZWdvZSBVSSZx dW90OywgUm9ib3RvLCAmcXVvdDtIZWx2ZXRpY2EgTmV1ZSZxdW90OywgQXJpYWwsIHNhbnMtc2Vy aWY7IGZvbnQtc2l6ZTogMTRweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtbGln YXR1cmVzOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiA0 MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9ycGhhbnM6IDI7IHRleHQtYWxpZ246IHN0YXJ0 OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5v cm1hbDsgd2lkb3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4OyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7IHRleHQtZGVj b3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQtZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlh bDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0aWFsOyI+VlBOIFNlcnZlciBJUDogMTg5LjE3 NC4xMzUuMTEwPGJyPjwvcD48ZGl2Pjxicj48L2Rpdj48ZGl2Pi1QIElOUFVUIERST1A8YnI+PC9k aXY+PGRpdj4tUCBGT1JXQVJEIERST1A8YnI+PC9kaXY+PGRpdj4tUCBPVVRQVVQgRFJPUDxicj48 L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PiNubyBmcmFnbWVudGVkIHBhY2tldHM8YnI+PC9kaXY+ PGRpdj4tQSBJTlBVVCAtZiAtaiBEUk9QPGJyPjwvZGl2PjxkaXY+I2xvY2FsaG9zdDxicj48L2Rp dj48ZGl2Pi1BIElOUFVUIC1zIDEyNy4wLjAuMC84ICEgLWkgbG8gLWogRFJPUDxicj48L2Rpdj48 ZGl2Pi1BIElOUFVUIC1pIGxvIC1zIDEyNy4wLjAuMSAtZCAxMjcuMC4wLjEgLWogQUNDRVBUPGJy PjwvZGl2PjxkaXY+LUEgT1VUUFVUIC1vIGxvIC1zIDEyNy4wLjAuMSAtZCAxMjcuMC4wLjEgLWog QUNDRVBUPGJyPjwvZGl2PjxkaXY+IyBmaXJzdCBwYWNrZXQgaGFzIHRvIGJlIFRDUCBzeW48YnI+ PC9kaXY+PGRpdj4tQSBJTlBVVCAtcCB0Y3AgISAtLXN5biAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAt aiBEUk9QPGJyPjwvZGl2PjxkaXY+I2Ryb3Agc29wIGljbXA8YnI+PC9kaXY+PGRpdj4tQSBJTlBV VCAtcCBpY21wIC0taWNtcC10eXBlIGFkZHJlc3MtbWFzay1yZXF1ZXN0IC1qIERST1A8YnI+PC9k aXY+PGRpdj4tQSBJTlBVVCAtcCBpY21wIC0taWNtcC10eXBlIHRpbWVzdGFtcC1yZXF1ZXN0IC1q IERST1A8YnI+PC9kaXY+PGRpdj4jUGluZyBmcm9tIGluc2lkZSB0byBvdXRzaWRlPGJyPjwvZGl2 PjxkaXY+Jm5ic3A7LUEgT1VUUFVUIC1wIGljbXAgLS1pY21wLXR5cGUgZWNoby1yZXF1ZXN0IC1q IEFDQ0VQVDxicj48L2Rpdj48ZGl2PiZuYnNwOy1BIElOUFVUIC1wIGljbXAgLS1pY21wLXR5cGUg ZWNoby1yZXBseSAtaiBBQ0NFUFQ8YnI+PC9kaXY+PGRpdj4jZHJvcCBicm9hZGNhc3QsIG11bHRp Y2FzdCBhbnljYXN0PGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLW0gYWRkcnR5cGUgLS1kc3QtdHlw ZSBCUk9BRENBU1QgLWogRFJPUDxicj48L2Rpdj48ZGl2Pi1BIElOUFVUIC1tIGFkZHJ0eXBlIC0t ZHN0LXR5cGUgTVVMVElDQVNUIC1qIERST1A8YnI+PC9kaXY+PGRpdj4tQSBJTlBVVCAtbSBhZGRy dHlwZSAtLWRzdC10eXBlIEFOWUNBU1QgLWogRFJPUDxicj48L2Rpdj48ZGl2Pi1BIElOUFVUIC1k IDIyNC4wLjAuMC80IC1qIERST1A8YnI+PC9kaXY+PGRpdj4jZHJvcCBpbnZhbGlkPGJyPjwvZGl2 PjxkaXY+LUEgSU5QVVQgLW0gc3RhdGUgLS1zdGF0ZSBJTlZBTElEIC1qIERST1A8YnI+PC9kaXY+ PGRpdj4jZHJvcCBzcG9vZmVkIHBhY2tldHM8YnI+PC9kaXY+PGRpdj4tQSBJTlBVVCAtcyAwLjAu MC4wLzggLWogRFJPUDxicj48L2Rpdj48ZGl2Pi1BIElOUFVUIC1kIDAuMC4wLjAvOCAtaiBEUk9Q PGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLWQgMjM5LjI1NS4yNTUuMC8yNCAtaiBEUk9QPGJyPjwv ZGl2PjxkaXY+LUEgSU5QVVQgLWQgMjU1LjI1NS4yNTUuMjU1IC1qIERST1A8YnI+PC9kaXY+PGRp dj4jIERST1AgUkZDMTkxOCBQQUNLRVRTPGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLXMgMTAuMC4w LjAvOCAtaiBEUk9QPGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLXMgMTcyLjE2LjAuMC8xMiAtaiBE Uk9QPGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLXMgMTkyLjE2OC4wLjAvMTYgLWogRFJPUDxicj48 L2Rpdj48ZGl2PiNBbGxvdyBWUE48YnI+PC9kaXY+PHAgZGlyPSJsdHIiPi0gQSBJTlBVVCAtaSBl dGgwIC1wIHVkcCAtbSB1ZHAgLXMmbmJzcDs8YSB0YXJnZXQ9Il9ibGFuayIgcmVsPSJub29wZW5l ciBub3JlZmVycmVyIiBocmVmPSJodHRwczovLzE4OS4xNzQuMTM1LjExMC8iPjE4OS4xNzQuMTM1 LjExMDwvYT4mbmJzcDstZCZuYnNwOzxhIHRhcmdldD0iX2JsYW5rIiByZWw9Im5vb3BlbmVyIG5v cmVmZXJyZXIiIGhyZWY9Imh0dHBzOi8vMTkyLjE2OC4xLjAvMjQiPjE5Mi4xNjguMS4wLzI0PC9h PiZuYnNwOy0tc3BvcnQgMTE5NCAtLWRwb3J0IDMyNzY4OjY1NTM1IC1tIGNvbm50cmFjayAtLWN0 c3RhdGUmbmJzcDtFU1RBQkxJU0hFRCAtaiBBQ0NFUFQmbmJzcDsgPGJyPjwvcD48ZGl2IGRpcj0i bHRyIj4tQSBPVVRQVVQgLW8gZXRoMCAtcCB1ZHAgLW0gdWRwIC1zJm5ic3A7PGEgdGFyZ2V0PSJf YmxhbmsiIHJlbD0ibm9vcGVuZXIgbm9yZWZlcnJlciIgaHJlZj0iaHR0cHM6Ly8xOTIuMTY4LjEu MC8yNCI+MTkyLjE2OC4xLjAvMjQ8L2E+Jm5ic3A7LWQmbmJzcDs8YSB0YXJnZXQ9Il9ibGFuayIg cmVsPSJub29wZW5lciBub3JlZmVycmVyIiBocmVmPSJodHRwczovLzE4OS4xNzQuMTM1LjExMC8i PjE4OS4xNzQuMTM1LjExMDwvYT4mbmJzcDstLWRwb3J0IDExOTQgLW0gY29ubnRyYWNrIC0tY3Rz dGF0ZSBORVcsRVNUQUJMSVNIRUQgLWogQUNDRVBUJm5ic3A7Jm5ic3A7PGJyPjwvZGl2PjxwIHN0 eWxlPSJib3gtc2l6aW5nOiBib3JkZXItYm94OyBvdmVyZmxvdy13cmFwOiBicmVhay13b3JkOyB3 b3JkLWJyZWFrOiBicmVhay13b3JkOyBtYXJnaW46IDBweCAwcHggMTBweDsgZm9udC1zaXplOiAx NHB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdhdHVyZXM6IG5vcm1hbDsg Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNp bmc6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAw cHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IDI7 IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQt ZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQtZGVjb3JhdGlvbi1zdHlsZTogaW5p dGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0aWFsOyI+PGJyPjwvcD48ZGl2Pjxicj48 L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2IGNsYXNzPSJwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9j ayI+PGRpdiBjbGFzcz0icHJvdG9ubWFpbF9zaWduYXR1cmVfYmxvY2stdXNlciBwcm90b25tYWls X3NpZ25hdHVyZV9ibG9jay1lbXB0eSI+PC9kaXY+PGRpdiBjbGFzcz0icHJvdG9ubWFpbF9zaWdu YXR1cmVfYmxvY2stcHJvdG9uIj48L2Rpdj48L2Rpdj48ZGl2Pjxicj48L2Rpdj4=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robert Ricardo Ikaka@21:1/5 to All on Sat Jan 15 04:30:02 2022
    https://chng.it/jJvMChbdsJ

    вс, 26 дек. 2021 г., 02:13 linux_forum1 <linux_forum1@protonmail.com>:

    Hello, I'm trying to make the most specific, secure and restrictive
    iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much!

    VPN Server Port:1194

    VPN Server IP: 189.174.135.110

    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP

    #no fragmented packets
    -A INPUT -f -j DROP
    #localhost
    -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
    -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    # first packet has to be TCP syn
    -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    #drop sop icmp
    -A INPUT -p icmp --icmp-type address-mask-request -j DROP
    -A INPUT -p icmp --icmp-type timestamp-request -j DROP
    #Ping from inside to outside
    -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    #drop broadcast, multicast anycast
    -A INPUT -m addrtype --dst-type BROADCAST -j DROP
    -A INPUT -m addrtype --dst-type MULTICAST -j DROP
    -A INPUT -m addrtype --dst-type ANYCAST -j DROP
    -A INPUT -d 224.0.0.0/4 -j DROP
    #drop invalid
    -A INPUT -m state --state INVALID -j DROP
    #drop spoofed packets
    -A INPUT -s 0.0.0.0/8 -j DROP
    -A INPUT -d 0.0.0.0/8 -j DROP
    -A INPUT -d 239.255.255.0/24 -j DROP
    -A INPUT -d 255.255.255.255 -j DROP
    # DROP RFC1918 PACKETS
    -A INPUT -s 10.0.0.0/8 -j DROP
    -A INPUT -s 172.16.0.0/12 -j DROP
    -A INPUT -s 192.168.0.0/16 -j DROP
    #Allow VPN

    - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT







    <div dir="auto"><a href="https://chng.it/jJvMChbdsJ">https://chng.it/jJvMChbdsJ</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вс, 26 дек. 2021 г., 02:13 linux_forum1 &lt;<a href="mailto:linux_forum1@protonmail.com">linux_
    forum1@protonmail.com</a>&gt;:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hello, I&#39;m trying to make the most specific, secure and restrictive iptables possible for a simple VPN
    connection on Debian. Could you have a quick look if those are OK? Thanks so much!<br></div><div><br></div><div>VPN Server Port:1194<br></div><p style="box-sizing:border-box;word-break:break-word;margin:0px 0px 10px;color:rgb(26,26,27);font-family:-apple-
    system,system-ui,BlinkMacSystemFont,&quot;Segoe UI&quot;,Roboto,&quot;Helvetica Neue&quot;,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;
    text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">VPN Server IP: 189.174.135.110<br></p><div><br></div><div>-P INPUT DROP<br></div><div>-
    P FORWARD DROP<br></div><div>-P OUTPUT DROP<br></div><div><br></div><div>#no fragmented packets<br></div><div>-A INPUT -f -j DROP<br></div><div>#localhost<br></div><div>-A INPUT -s <a href="http://127.0.0.0/8" target="_blank" rel="noreferrer">127.0.0.0/8<
    ! -i lo -j DROP<br></div><div>-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br></div><div>-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br></div><div># first packet has to be TCP syn<br></div><div>-A INPUT -p tcp ! --syn -m state --state
    NEW -j DROP<br></div><div>#drop sop icmp<br></div><div>-A INPUT -p icmp --icmp-type address-mask-request -j DROP<br></div><div>-A INPUT -p icmp --icmp-type timestamp-request -j DROP<br></div><div>#Ping from inside to outside<br></div><div> -A OUTPUT -p
    icmp --icmp-type echo-request -j ACCEPT<br></div><div> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT<br></div><div>#drop broadcast, multicast anycast<br></div><div>-A INPUT -m addrtype --dst-type BROADCAST -j DROP<br></div><div>-A INPUT -m addrtype -
    -dst-type MULTICAST -j DROP<br></div><div>-A INPUT -m addrtype --dst-type ANYCAST -j DROP<br></div><div>-A INPUT -d <a href="http://224.0.0.0/4" target="_blank" rel="noreferrer">224.0.0.0/4</a> -j DROP<br></div><div>#drop invalid<br></div><div>-A INPUT -
    m state --state INVALID -j DROP<br></div><div>#drop spoofed packets<br></div><div>-A INPUT -s <a href="http://0.0.0.0/8" target="_blank" rel="noreferrer">0.0.0.0/8</a> -j DROP<br></div><div>-A INPUT -d <a href="http://0.0.0.0/8" target="_blank" rel="
    noreferrer">0.0.0.0/8</a> -j DROP<br></div><div>-A INPUT -d <a href="http://239.255.255.0/24" target="_blank" rel="noreferrer">239.255.255.0/24</a> -j DROP<br></div><div>-A INPUT -d 255.255.255.255 -j DROP<br></div><div># DROP RFC1918 PACKETS<br></div><
    -A INPUT -s <a href="http://10.0.0.0/8" target="_blank" rel="noreferrer">10.0.0.0/8</a> -j DROP<br></div><div>-A INPUT -s <a href="http://172.16.0.0/12" target="_blank" rel="noreferrer">172.16.0.0/12</a> -j DROP<br></div><div>-A INPUT -s <a href="
    http://192.168.0.0/16" target="_blank" rel="noreferrer">192.168.0.0/16</a> -j DROP<br></div><div>#Allow VPN<br></div><p dir="ltr">- A INPUT -i eth0 -p udp -m udp -s <a rel="noopener noreferrer noreferrer" href="https://189.174.135.110/" target="_blank">
    189.174.135.110</a> -d <a rel="noopener noreferrer noreferrer" href="https://192.168.1.0/24" target="_blank">192.168.1.0/24</a> --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT  <br></p><div dir="ltr">-A OUTPUT -o eth0 -
    p udp -m udp -s <a rel="noopener noreferrer noreferrer" href="https://192.168.1.0/24" target="_blank">192.168.1.0/24</a> -d <a rel="noopener noreferrer noreferrer" href="https://189.174.135.110/" target="_blank">189.174.135.110</a> --dport 1194 -m
    conntrack --ctstate NEW,ESTABLISHED -j ACCEPT  <br></div><p style="box-sizing:border-box;word-break:break-word;margin:0px 0px 10px;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:
    normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></p><div><br></div><div><br></div><div><div></div><div></div></div><div><br></div></
    blockquote></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)